Software defined networking (SDN) is a new network architecture. Compared with internet protocol (IP) route searching used in a conventional network, SDN/OpenFlow can implement flexible control of network traffic, so as to provide a desirable platform for innovation of core networks and applications, and is a direction of development of network architectures in the future.
As shown in FIG. 1, the SDN generally includes two parts: a controller 110 and forwarding devices 120. The controller 110 is connected to each forwarding device 120 in the network, and the forwarding devices 120 in the network are topologically connected. The controller 110 is responsible for centralized control of the network, that is, after receiving a control policy, the controller 110 generates a forwarding path according to the control policy, and generates a forwarding entry for each forwarding device 120. After receiving the forwarding entry, the forwarding device 120 performs, according to the received forwarding entry, matching and forwarding on a packet sent by a user terminal.
However, in some cases, some policies received by the controller 110 may be in conflict with each other.
For example, daily work of a research and development department involves secrets of a company, and the research and development department is strictly prohibited from accessing an external network, and can access only an internal network of the company. Therefore, an administrator may deliver a policy 1 to a controller according to the feature of the research and development department, where the policy 1 acts on a forwarding device S0. The forwarding device S0 forwards a packet, which satisfies the policy 1, of a user terminal to another forwarding device in the SDN, and then the another forwarding device forwards the packet to a corresponding network, for example, an external network or an internal network.
Policy 1: A server of the research and development department cannot access the external network, and all employees of the research and development department can access the internal network of the company by using a forwarding device S1.
Moreover, a pre-research group in the research and development department needs to access the external network to collect data. Therefore, the administrator may deliver a policy 2 to the controller according to the feature of the pre-research group, where the policy 2 also acts on the forwarding device S0. The forwarding device S0 forwards a packet, which satisfies the policy 2, of a user terminal to another forwarding device in the SDN, and then the another forwarding device forwards the packet to a corresponding network, for example, an external network or an internal network.
Policy 2: A server of the pre-research group cannot access a secure shell (Secure Shell, SSH) service, and employees of the pre-research group can access the external network by using a forwarding device S2.
As can be analyzed from the foregoing two policies, it is intended that employees of the pre-research group should be able to access the external network. However, actually, because the pre-research group is a part of the research and development department, and in the policy 1, all the employees of the research and development department are prohibited from accessing the external network, the controller 110 cannot perform processing after receiving the two conflicting control policies. Therefore, the controller 110 can convert only a policy with a highest priority into a forwarding entry, and sends the forwarding entry to the forwarding device S0, so that the forwarding device S0 can only forward a packet according to the policy with the highest priority. A priority of the policy 1 delivered for the research and development department is higher than a priority of the policy 2 delivered for the pre-research group; therefore, the forwarding device S0 forwards a packet only according to the policy 1, and does not forward a packet according to the policy 2, which results in that the pre-research group stays unable to access the external network.